Nostr Web Client

after working on Damoose (safari extension), it seems nostore is pretty insecure because it exposes your private key to the javascript environment.

Since we store your key in the iOS keystore, we can just access this from the plugin background process instead of the browser's javascript runtime environment.

We can sandbox the plugin process to disable outgoing networking connection, so it can only send messages to and from the browser, so it should be way more secure than what nostore was doing.

Ƒʉͫcͧкͭιͪηͣ 𝕵𝖔𝖍𝖓 ⚡️⚡️ 1y ago

Apple Problems as usual

nostr:nevent1qqs96t58lszflzkevzswdwyz2ts8s8x5ymgz8l3w3y6wv8pyqdgdxzcpz4mhxue69uhhyetvv9ujuerpd46hxtnfduhsygpjuxp8vd29p6ancknaztql3eajk52y8xkppfn7au7elkw9c68zg5psgqqqqqqs54t4hr

Reply to this note

Please Login to reply.

Discussion

jb55 1y ago

wdym? this is a problem with all nip07 plugins except ones that communicate to a native app or device that does the signing. I think all nip07 plugins currently work this way.

Ƒʉͫcͧкͭιͪηͣ 𝕵𝖔𝖍𝖓 ⚡️⚡️ 1y ago

So than that's fucked up

Is it true nostr:npub180cvv07tjdrrgpa0j7j7tmnyl2yr6yr7l8j4s3evf6u64th6gkwsyjh6w6 Nos2x extension leak the nsec on Javascript environment?

And what about Amber nostr:npub1w4uswmv6lu9yel005l3qgheysmr7tk9uvwluddznju3nuxalevvs2d0jr5

jb55 1y ago

it doesn't leak it to websites, since extensions are isolated. damoose just takes it a step further and isolates it from the js-plugin environment. it acts as a native signer that is network-sandboxed. your keys are likely fine, this is just improving the security even more.